Cybercriminals have gotten more sophisticated in recent years, learning new ways to avoid detection from traditional anti-virus tools. One of the most popular ways for malicious actors to get their malware past security solutions is to use legitimate certificates to sign the software, making the program seem safe. According to a new report by Kaspersky Lab, the number of legitimate certificates used for nefarious purposes has increased from 1,500 to 6,000 in the last six years.
A recent blog post by the security firm revealed that the method of obfuscation is being increasingly employed by cybercriminals. Legally obtained certifications are used to sign off on malware programs, increasing the rate of infection. Researchers also discovered that malicious actors are able to access the corporate networks of software manufacturers and use their Build servers to compile a malicious file, automatically signing it with the vendor's digital signature. Another method entails hackers taking over a Web installer for legal software and swapping out the link to download a different distribution kit that results in malware being installed on the victim's system.
Hackers leverage inherent trust of certificates
A great deal of businesses currently rely on digital certificates to tell them a file is safe from malicious code. Numerous system administrators develop security policies centered around the idea that users can safely access files signed with a legitimate certificate. Not only do enterprise IT decision-makers trust highly in digital certificates, but some anti-virus tools automatically allow files signed with a valid certificate because they assume they are secure. Because of this inherent trust, cybercriminals are able to trick a much higher number of victims into downloading their malware.
Malware that leverages legitimate certificates relies on the fact that most enterprises don't second-guess signed files. The only way to protect against such threats is to increase visibility and monitoring, and the most reliable way to do that is by implementing a security information and event management service. A managed SIEM solution provides businesses with constant monitoring of network activity in order to identify suspicious or anomalous behavior. Event activity is recorded and analyzed so actionable information can be provided to the company for use in the creation of a more robust defense system. Use of a concierge SIEM service allows organizations to continue offering customers the data privacy they demand while still having insight into any nefarious activity taking place on their networks, increasing security from all sides.